Cloud identity reached a throttling API rate

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-05-10
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Informational

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and their legitimacy.
  • Look for any unusual behavior originated from the suspected identity.

Variations

Cloud identity reached a highly unusual throttling API rate

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Low

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.
This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and their legitimacy.
  • Look for any unusual behavior originated from the suspected identity.


Cloud identity reached an unusual throttling API rate in the cloud project

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Informational

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.
This API rate is unusual on the project level.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and their legitimacy.
  • Look for any unusual behavior originated from the suspected identity.


Cloud identity reached an unusual throttling API rate

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Informational

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.
This activity is unusual for The cloud identity, and was not seen in the last 30 days.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and their legitimacy.
  • Look for any unusual behavior originated from the suspected identity.